证书操作(openssl、keytool)

 


最近弄了很久的证书相关的东西,对其中使用到的一些命令做下记录,有空再补一下使用的java代码


证书转换(openssl):


openssl pkcs12 -export -inkey test.key -in test.cer -out test.pfx
openssl pkcs12 -in test.pfx -nodes -out test.pem 
openssl rsa -in test.pem -out test.key
openssl x509 -in test.pem -out test.crt (cer和crt格式一样,直接修改后缀名即可)


创建RSA2048With256的证书

1、创建keystore:keytool -genkey -alias companyNametest -keyalg RSA -sigalg SHA256withRSA -keysize 2048  -keystore D:\companyNametest.keystore -validity 36500

(指定签名算法RSA2048,摘要散列算法SHA-256,密钥大小2048,有效期时间36500)

 一个较完整的命令:

 keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 3650 -alias test_key -keypass 123456 -keystore ./test.keystore -storepass 123456 -dname "CN=localhost,OU=DEP,O=CN,L=SH,C=CN"

   其中:-keyalg 指定算法;-keysize 指定密钥大小;-validity 指定有效期,单位为天;-alias 别名;-keypass 指定私钥使用密码;

-keystore 指定密钥库的名;-storepass 指定证书库的使用密码,从里面提取公钥时需要输入的密码;-dname 指定CN拥有者名字,一般为网站名或者的IP+端口,如www.baidu.com,OU组织机构名,O组织名,L城市、ST州或者省,C国家代码。
2、创建自签名证书:keytool -selfcert -alias test_key -keystore ./test.keystore
3、验证:keytool -selfcert -alias test_key -keystore ./test.keystore
4、导出:keytool -export -alias test_key -keystore ./test.keystore -storepass 123456 -rfc -file ./test.cer


导出csr:keytool -certReq -keystore company.keystore -alias company -file pa.csr


keytool -list -v -keystore company.keystore


生成 :
1、生成keystore和密钥对:keytool -genkey -alias companyName -keyalg RSA -keystore companyName.jks -keysize 2048
2、为存在的keystore生成证书请求文件CSR :keytool -certreq -alias companyName -keystore companyName.jks -file companyName.csr



keytool -genkey -alias yushan -keypass yushan -keyalg RSA -keysize 2048 -keystore  e:\yushan.keystore -storepass 123456 -dname "CN=(名字与
姓氏), OU=(组织单位名称), O=(组织名称), L=(城市或区域名称), ST=(州或省份名称), C=(单位的两字母国家代码)"


keytool -genkey -alias companyNametest -keypass companyNametest -keyalg RSA -keysize 2048 -keystore  e:\companyNametest.keystore -storepass 111111 -dname "CN=051, OU=SSL-RSA, O=companyName, L=Shanghai, ST=Shanghai, C=CN"


keytool -genkey -alias companyNametest -keypass companyNametest -keyalg RSA -keysize 2048 -keystore  companyNametest.keystore -storepass 111111 -dname "CN=CN, OU=OU, O=O, L=L, ST=ST, C=C"




CN=051@companyName@N91440300789222662P@1,OU=Organizational-1,OU=companyName,O=CFCA RSA OCA31,C=CN


CN = 192.168.*.*
OU = SSL-RSA
O = companyName
L = Shanghai
S = Shanghai
C = CN


创建ssl -src:
CN=192.168.*.*,OU=SSL-RSA,O=company,L=Shanghai,S=Shanghai,C=CN
 1、创建客户端证书密钥文件client.key:
    openssl genrsa -des3 -out company_ssl.key 2048
 2、创建客户端证书的申请文件client.csr:
    openssl req -new -key company_ssl.key -out company_ssl.csr
 3、查看csr文件细节:
openssl req -in company_ssl.csr -noout -text

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:companyName
Organizational Unit Name (eg, section) []:SSL-RSA
Common Name (eg, your name or your server's hostname) []:192.168.*.*




final:1、签名证书:
创建keystore:keytool -genkey -alias companyNametest -keyalg RSA -sigalg SHA256withRSA -keystore companyNametest.keystore -keysize 2048
创建自签名证书:keytool -selfcert -alias companyNametest -keystore companyNametest.keystore
验证:keytool -selfcert -alias companyNametest -keystore companyNametest.keystore
导出:keytool -export -alias companyNametest -keystore companyNametest.keystore -storepass 111111 -rfc -file companyNametest.cer
导出csr:keytool -certReq -keystore companyNametest.keystore -alias companyNametest -file companyNametest.csr
导出私钥(pfx):keytool GUI


What is your first and last name?
  [Unknown]:  051@companyName@N91440300789222662P@1
What is the name of your organizational unit?
  [Unknown]:  Organizational-1
What is the name of your organization?
  [Unknown]:  CFCA RSA OCA31
What is the name of your City or Locality?
  [Unknown]:  Shanghai
What is the name of your State or Province?
  [Unknown]:  Shanghai
What is the two-letter country code for this unit?
  [Unknown]:  CN



  2、服务器证书:
  创建密钥文件、申请文件:openssl req -new -x509 -days 100 -sha256 -newkey rsa:2048 -keyout company_ssl.key -out company_ssl.csr
  查看csr文件细节:openssl req -in company_ssl.csr -noout -text(openssl req -noout -text -in company_ssl.csr)
  查看key信息:openssl rsa -noout -text -in company_ssl.key
  综合:openssl req -new -days 365 -sha256 -newkey rsa:2048 -keyout company_ssl.key -out company_ssl.csr -subj "/C=CN/ST=Shanghai/L=Shanghai/O=companyName/OU=SSL-RSA/CN=192.168.*.*"


导出私钥:pkcs12 -export -inkey company_ssl.key -in signatureCert-SSL.cer -out rrrr.pfx
  
 
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:companyName
Organizational Unit Name (eg, section) []:SSL-RSA
Common Name (eg, your name or your server's hostname) []:192.168.*.*




openssl req -new -days 365 -sha256 -newkey rsa:2048 -keyout company_ssl.key -out company_ssl.csr -subj "/C=CN/ST=Shanghai/L=Shanghai/O=companyName/OU=SSL-RSA/CN=192.168.*.*"

 

你可能感兴趣的:(算法,openssl,keytool)